Spec: Allow cross-origin script in addModule & align createWorklet #161
Conversation
There was a problem hiding this comment.
Thanks! Added a few nit comments. However, I think the following two sections also need to be updated:
- https://wicg.github.io/shared-storage/#set-up-a-worklet-environment-settings-object-monkey-patch. Instead of always returning
|moduleURL|'s [=url/origin=], it may also return the context origin depending on the options. - The network response's handling: https://wicg.github.io/shared-storage/#http-fetch-monkey-patch. e.g. it doesn't need to do the response header checking if the option is the default "context-origin".
Updated, could you please take another look? Thanks |
There was a problem hiding this comment.
Looks good % I'm not entirely convinced that relying on destination "sharedstorageworkletcontextorigin" is ideal (also as noted in my Gerrit comment). I recommend getting input from a spec owner.
Thanks, will do. I will either need to add the additional |
I've reviewed this pull request in regards to the destination question. I think it would be preferable to monkey-patch an internal property on My reasoning is that "how do we know when to add the header" is an internal implementation detail. In contrast, changing the destination is a change that results in different behavior for web sites. The destination value is exposed to sites a few different ways. So changing the destination for this purpose would require all sites checking the destination to now have to understand an additional enumerated value. In theory this should not be necessary given the information is covered in the newly exposed header. In addition, using an internal Another option you could consider, though, is sending the worklet data origin explicitly in a request header. This would maybe benefit the server receiving the request and also give you a comparison you can make to know to add the other header. (Or do you need the other header if you have this?) But I can see reasons why maybe not to do that. |
|
Also, just for my curiosity, what is the use case for using the origin of the addWorklet URL as the data origin? The linked explainer pull request #158 says cross-origin worklet scripts are motivated by CDN usage. I don't understand a scenario where someone would want data partitioned according to CDN origin. Is there another use case that isn't documented here? |
The use case for allowing the origin of the script URL as the dataOrigin is to enable third-party scripts to load worklets directly, without requiring an iframe. This is a pre-existing use case (#131) and isn't related to CDN. That is, an ad script could call However, neither of the two approaches supports hosting the script on a CDN, as cross-origin script hasn't been allowed for To align |
|
(@pythagoraskitty Re-requested change per Ben's comment. To monkey-patch an internal property on request, you can refer to the Topics spec) |
Add opaqueness check to fetch a single module script for sharedstorageworklet
SHA: 4320b8d Reason: push, by pythagoraskitty Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
We align the default data origin for createWorklet with that of addModule to be the invoking context's origin. We also hook up the dataOrigin option in createWorklet's options dictionary, so that the script origin can be manually specified to be used as the data origin instead. See WICG/shared-storage#158, WICG/shared-storage#161, and https://groups.google.com/a/chromium.org/g/blink-dev/c/YZ4XGewKVuk. Bug:353738488 Change-Id: I3578e48f14c9fb1005211b94889ce01ef209162c
We align the default data origin for createWorklet with that of addModule to be the invoking context's origin. We also hook up the dataOrigin option in createWorklet's options dictionary, so that the script origin can be manually specified to be used as the data origin instead. See WICG/shared-storage#158, WICG/shared-storage#161, and https://groups.google.com/a/chromium.org/g/blink-dev/c/YZ4XGewKVuk. Bug: 353738488 Change-Id: I3578e48f14c9fb1005211b94889ce01ef209162c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5716903 Reviewed-by: Yao Xiao <yaoxia@chromium.org> Commit-Queue: Cammie Smith Barnes <cammie@chromium.org> Cr-Commit-Position: refs/heads/main@{#1333189}
We align the default data origin for createWorklet with that of addModule to be the invoking context's origin. We also hook up the dataOrigin option in createWorklet's options dictionary, so that the script origin can be manually specified to be used as the data origin instead. See WICG/shared-storage#158, WICG/shared-storage#161, and https://groups.google.com/a/chromium.org/g/blink-dev/c/YZ4XGewKVuk. Bug: 353738488 Change-Id: I3578e48f14c9fb1005211b94889ce01ef209162c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5716903 Reviewed-by: Yao Xiao <yaoxia@chromium.org> Commit-Queue: Cammie Smith Barnes <cammie@chromium.org> Cr-Commit-Position: refs/heads/main@{#1333189}
…fault data origin w/addModule's, a=testonly Automatic update from web-platform-tests Shared Storage: Align createWorklet's default data origin w/addModule's We align the default data origin for createWorklet with that of addModule to be the invoking context's origin. We also hook up the dataOrigin option in createWorklet's options dictionary, so that the script origin can be manually specified to be used as the data origin instead. See WICG/shared-storage#158, WICG/shared-storage#161, and https://groups.google.com/a/chromium.org/g/blink-dev/c/YZ4XGewKVuk. Bug: 353738488 Change-Id: I3578e48f14c9fb1005211b94889ce01ef209162c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5716903 Reviewed-by: Yao Xiao <yaoxia@chromium.org> Commit-Queue: Cammie Smith Barnes <cammie@chromium.org> Cr-Commit-Position: refs/heads/main@{#1333189} -- wpt-commits: 71b107815a391a469b081cbb9242e1723ede50fb wpt-pr: 47296
…fault data origin w/addModule's, a=testonly Automatic update from web-platform-tests Shared Storage: Align createWorklet's default data origin w/addModule's We align the default data origin for createWorklet with that of addModule to be the invoking context's origin. We also hook up the dataOrigin option in createWorklet's options dictionary, so that the script origin can be manually specified to be used as the data origin instead. See WICG/shared-storage#158, WICG/shared-storage#161, and https://groups.google.com/a/chromium.org/g/blink-dev/c/YZ4XGewKVuk. Bug: 353738488 Change-Id: I3578e48f14c9fb1005211b94889ce01ef209162c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5716903 Reviewed-by: Yao Xiao <yaoxia@chromium.org> Commit-Queue: Cammie Smith Barnes <cammie@chromium.org> Cr-Commit-Position: refs/heads/main@{#1333189} -- wpt-commits: 71b107815a391a469b081cbb9242e1723ede50fb wpt-pr: 47296
We make the spec changes to accompany #158 .
In particular, we make it possible for
sharedStorage.worklet.addModule()to create a worklet with cross-origin worklet script. We also align the behavior ofsharedStorage.createWorklet()withaddmodule()so that it uses the invoking context's origin as the data partition origin by default, while adding a mechanism to use the script's origin instead if specified.For a more detailed description, please see #158 .
Preview | Diff